New docs outline scope, security requirements for CIA enterprise cloud

The CIA has released an updated draft RFP for its massive, multi-billion dollar enterprise cloud, providing new details around the scope of services, cybersecurity protections and contract requirements.

According to the draft request for proposals, the resulting indefinite-delivery, indefinite-quantity Commercial Cloud Enterprise contract will include multiple awarded vendors proposing a range of cloud services, including infrastructure-as-a-service, platform-as-a-service and software-as-a-service offerings. The C2E contract would also include a separate acquisition for cloud integration services and multi-cloud management support tools. It will have a base term of five years, with two additional five-year optional amendments.

The agency will establish new clouds for each level of the classification process, relying on one commercial-off-the-shelf offering and a corresponding Federal Risk and Authorization Management Program-authorized offering for the unclassified portion, while building more restrictive versions to handle secret and top secret information. The plan calls for broad dissemination of data centers, on land, undersea and in space, both on and off government premises where required.

In particular, CIA wants to reap the flexibility and benefits of operating in a multicloud environment, and it said it believes the approach will help it reach disconnected and low-bandwidth environments and monitor for insider threats.

"Multi-cloud architectures allow cloud services to be selected based on development strategy and project objectives," the RFP states. "In a multi-cloud ecosystem, the Government will gain advantages from use of each [provider's] unique area of investment in technology, cybersecurity strategy, and best practices."

The agency also hopes to leverage C2E and its computing capabilities to further current efforts around artificial intelligence and machine learning.

"These capabilities require unified security processes and acceptance that enable quick adoption and portability of applications, data, and code," the draft RFP states. "The IC will leverage these capabilities in an approach that favors vendor flexibility, simplifies use and adoption of new and cloud-native technologies, and promotes necessary culture changes."

The chosen cloud service providers must also ensure that their supply chain security practices are aligned with requirements in the Secure Technology Act and Federal Acquisition Regulations. Those procedures include providing detailed information about all subcontractors and third-party software and hardware providers involved in their offerings, down to the third level, as well as what steps companies have taken to vet their security practices.

According to draft proposal's introduction, the agency's foray into the cloud has been "transformational" for the intelligence community, "increasing the speed at which new applications can be developed to support mission and improving the functionality and security of those applications." The agency's cloud services and computing resources are also used by a range other intelligence agencies and federal partners.